[Openswan Users] [configuration] pending Phase 2 for "xxx" replacing #0
Peter McGill
petermcgill at goco.net
Wed Aug 27 15:23:34 EDT 2008
Jeff,
You shouldn't need kernel patches unless your using klips and nat-t,
which you are not. Setting Source and Dest on the Fortigate didn't work?
Peter McGill
IT Systems Analyst
Gra Ham Energy Limited
> -----Original Message-----
> From: MM.ST [mailto:jfendrody at mm.st]
> Sent: August 27, 2008 3:14 PM
> To: 'MM.ST'; petermcgill at goco.net
> Subject: RE: [Openswan Users] [configuration] pending Phase 2
> for "xxx" replacing #0
>
> Peter,
>
> I was checking Openswan packages available for Ubuntu and
> Kernel patch.
> Are they needed for the configuration to work ?
>
> Today only "openswan" is installed (i). Should I install
> "linux-patch-openswan" and "kernel-patch-openswan" ?
>
> root at ks2228:~# aptitude search openswan
> v kernel-patch-openswan -
> p linux-patch-openswan - IPSEC Linux kernel support for
> Openswan
> i openswan - IPSEC utilities for Openswan
> p openswan-modules-source - IPSEC kernel modules source for
> Openswan
>
> Thanks,
> Jeff
>
> -----Message d'origine-----
> De : users-bounces at openswan.org
> [mailto:users-bounces at openswan.org] De la
> part de MM.ST
> Envoyé : mercredi 27 août 2008 20:28
> À : petermcgill at goco.net
> Cc : users at openswan.org
> Objet : Re: [Openswan Users] [configuration] pending Phase 2 for "xxx"
> replacing #0
>
> Peter,
>
> First of all let me thank you for your help and the time
> spent on my issue.
>
> Regarding your suggestions, when adding "%defaultroute" anywhere in
> /etc/ipsec.conf, I get the following error message:
> Aug 27 20:17:02 ks2228 ipsec__plutorun: ipsec_auto: fatal error in
> "innov2demain": %defaultroute requested but not known
>
> Adding " leftnexthop=1.2.3.254" makes no difference.
>
> I downloaded the latest release but unfortunately I got error
> messages when
> I try to compile the package (missing .h files).
>
> I will spend some more time on the issue but I consider have made no
> progress for 3 days now.
> As the VPN should be up by the end of the week, I am
> considering moving the
> server to Windows and use Forti client but I guess I will
> other kind of
> issues with that OS ...
>
> Anyway, thanks again for your support !
>
>
> -----Message d'origine-----
> De : Peter McGill [mailto:petermcgill at goco.net]
> Envoyé : mercredi 27 août 2008 15:59
> À : MM.ST
> Cc : users at openswan.org
> Objet : Re: [Openswan Users] [configuration] pending Phase 2 for "xxx"
> replacing #0
>
> Jeff,
>
> The problem is not obvious to me, if someone else
> can offer Jeff some help, please do so.
>
> Summary:
> Openswan appears to be installed correctly,
> you have no firewall rules or masquerade rules.
> Your Openswan and Fortigate configs match.
> Yet it gets stuck on STATE_MAIN_I1.
>
> Can you ping the Fortigate via the internet without encryption?
>
> You could try adding one of the following to your conn:
> leftnexthop=%defaultroute
> leftnexthop=1.2.3.254
>
> I'm not sure it will help, but you could disable DH Group 1 & 5
> on the Fortigate, so that it's only using 2 same as Openswan,
> disable NAT-T support on both sides, since you don't need it,
> and upgrade to a newer version of Openswan, 2.4.6 is very old.
> http://openswan.org/code/
>
> Peter
>
> MM.ST wrote:
> > Hi Peter,
> >
> > Thanks for the help.
> > My answers in your email.
> >
> > Jeff
> >
> > -----Message d'origine-----
> > De : Peter McGill [mailto:petermcgill at goco.net]
> > Envoyé : mardi 26 août 2008 16:32
> > À : MM.ST
> > Cc : users at openswan.org
> > Objet : Re: [Openswan Users] [configuration] pending Phase
> 2 for "xxx"
> > replacing #0
> >
> > At this point it looks like the two endpoints are not communicating,
> > let alone connecting.
> >
> > Do your Fortigate logs say anything?
> >
> > JFE>> Fortigate is not very helpful in terms of logs. I cannot get
> anything
> > useful from it.
> >
> > Did you permit IPSec and tunneled traffic to pass through
> the firewall
> > without masquerading it?
> >
> > JFE>> Left side is connected directly to the internet, no
> firewall. Right
> > end FW is ok.
> >
> > Can you verify that the packets are being sent/received by packet
> sniffing?
> >
> > JFE>> I did not yet but I could. I will let you know.
> >
> > Are your real left/right ip's public internet addresses?
> > They should be if possible, otherwise you will need NAT-T.
> > Note even with NAT-T the Fortigate will need a public ip.
> >
> > JFE>> Yes they are public internet addresses.
> >
> > Your trying to connect just one computer to the Fortigate
> lan correct?
> > This is what your ipsec.conf would indicate.
> >
> > JFE>> Yes. Left end is just one single computer.
> >
> > The following are not likely the cause, but may cause you future
> > problems, so addressing them now won't hurt.
> >
> > What Diffie-Hellman (DH) Groups does the Fortigate allow?
> > DH Group 1 is insecure and Openswan will refuse to use it,
> > make sure the Fortigate is using Group 2 or 5. (1024 or 1536 bit)
> >
> > JFE>> For Phase 1, Fortigate allows DH group 1, 2 and 5.
> > JFE>> For Phase 2, Foritgate allows DH group 2 only.
> >
> > You can further match the DH group with Openswan as follows:
> > ike=3des-sha1;modp1024
> > esp=3des-sha1
> >
> > JFE>> Updated. I had to change "ike=3des-sha1;modp1024" to "
> > ike=3des-sha1-modp1024"
> > JFE>> Don't know if that matters.
> >
> > Try with compress=no first, compression sometimes does not work.
> >
> > JFE>> Ok, I change ipsec.conf accordingly.
> >
> > Make sure the Fortigate is using Main mode not Aggressive mode.
> >
> > JFE>> It is configured in Main mode.
> >
> > Note your keylifes do not match, ike is phase 1. This will not
> > prevent connection but may prematurely end it.
> > ikelifetime=28800
> > keylife=1800
> >
> > JFE>> Updated.
> >
> > If none of this helps you, you may need to send an ipsec barf >
> > ipsec_barf.txt, which should contain most necessary information
> > to fix the problem. Don't worry it will not contain your keys.
> >
> > JFE>> I ran the command. The ouput is quite impressive.
> > JFE>> As I do not know what's useful in there and I do not
> want to copy
> the
> > whole in the email
> > JFE>> I created a dedicated web page with the full content.
> > JFE>> I also added print screens of the fortigate config.
> > JFE>> you can find it here :
> http://www.innovinfo.fr/openswan/index.html
> >
> > JFE>> Thanks again for the support !
> >
> > Peter
> >
> >
> > MM.ST wrote:
> >> Dear Openswan experts,
> >>
> >>
> >>
> >> I am brand new to openswan (and VPN in generals) and have
> been googling
> >> with no success for 2 days trying to fix my problem.
> >>
> >> Any help from the community would be most welcome.
> >>
> >>
> >>
> >> I am trying to connect 1 server to a network protected by
> a Fortigate
> >> firewall through a VPN.
> >>
> >> I managed to get openswan running on linux (Ubuntu) --at
> least I guess
> > so...
> >> But I cannot get the VPN up and running...
> >>
> >>
> >>
> >> Ok here comes the technical details.
> >>
> >>
> >>
> >>
> >>
> >>>> Let's start with the Fortigate configuration:
> >> Phase 1:
> >>
> >> - remote IP 1.2.3.4
> >>
> >> - pre-shared key : "key"
> >>
> >> - Encryption : 3DES
> >>
> >> - Authentication : SHA1
> >>
> >> - Key lifetime : 28800 seconds
> >>
> >> Phase 2:
> >>
> >> - Encryption : 3DES
> >>
> >> - Authentication : SHA1
> >>
> >> - Key lifetime : 1800 seconds
> >>
> >>
> >>
> >>>> Now the openswan configuration:
> >> /etc/ipsec.conf:
> >>
> >> config setup
> >>
> >> interfaces="ipsec0=eth0"
> >>
> >> nat_traversal=yes
> >>
> >>
> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:!192.168.254.0/24
> >>
> >> conn innov2demain
> >>
> >> left=1.2.3.4
> >>
> >> right=99.98.97.96
> >>
> >> rightsubnet=192.168.254.0/24
> >>
> >> keyexchange=ike
> >>
> >> auto=start
> >>
> >> authby=secret
> >>
> >> esp=3des
> >>
> >> compress=yes
> >>
> >> ikelifetime=1800
> >>
> >> # Disable Opportunistic Encryption
> >>
> >> include /etc/ipsec.d/examples/no_oe.conf
> >>
> >>
> >>
> >> /etc/ipsec.secrets
> >>
> >> 1.2.3.4 99.98.97.96 : PSK "test"
> >>
> >>
> >>
> >>>> Here come the logs :
> >>
> >>
> >> root at ks2228:/proc/sys/net/ipv4/conf# ipsec verify
> >>
> >> Checking your system to see if IPsec got installed and started
> >>
> >> correctly:
> >>
> >> Version check and ipsec on-path
> [OK]
> >>
> >> Linux Openswan U2.4.6/K2.6.24.2-xxxx-std-ipv4-32 (netkey)
> >>
> >> Checking for IPsec support in kernel
> [OK]
> >>
> >> NETKEY detected, testing for disabled ICMP
> send_redirects [OK]
> >>
> >> NETKEY detected, testing for disabled ICMP
> accept_redirects [OK]
> >>
> >> Checking for RSA private key (/etc/ipsec.secrets)
> >>
> >> [DISABLED]
> >>
> >> ipsec showhostkey: no default key in "/etc/ipsec.secrets"
> >>
> >> Checking that pluto is running
> [OK]
> >>
> >> Two or more interfaces found, checking IP forwarding
> [OK]
> >>
> >> Checking NAT and MASQUERADEing
> [OK]
> >>
> >> Checking for 'ip' command
> [OK]
> >>
> >> Checking for 'iptables' command
> [OK]
> >>
> >> Opportunistic Encryption Support
> >>
> >> [DISABLED]
> >>
> >>
> >>
> >> root at ks2228:/proc/sys/net/ipv4/conf# /etc/init.d/ipsec status
> >>
> >> IPsec running - pluto pid: 22136
> >>
> >> pluto pid 22136
> >>
> >> No tunnels up
> >>
> >>
> >>
> >> root at ks2228:/var/log# ipsec auto --verbose --up innov2demain
> >>
> >> I have no feedback at all. Nothing happens ...
> >>
> >>
> >>
> >> root at ks2228:/proc/sys/net/ipv4/conf# ipsec auto --status
> >>
> >> 000 interface lo/lo 127.0.0.1
> >>
> >> 000 interface lo/lo 127.0.0.1
> >>
> >> 000 interface eth0/eth0 1.2.3.4
> >>
> >> 000 interface eth0/eth0 1.2.3.4
> >>
> >> 000 %myid = (none)
> >>
> >> 000 debug none
> >>
> >> 000
> >>
> >> 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8,
> keysizemin=64,
> >> keysizemax=64
> >>
> >> 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8,
> >> keysizemin=192, keysizemax=192
> >>
> >> 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
> >> keysizemin=128, keysizemax=128
> >>
> >> 000 algorithm ESP auth attr: id=2,
> name=AUTH_ALGORITHM_HMAC_SHA1,
> >> keysizemin=160, keysizemax=160
> >>
> >> 000 algorithm ESP auth attr: id=5,
> name=AUTH_ALGORITHM_HMAC_SHA2_256,
> >> keysizemin=256, keysizemax=256
> >>
> >> 000
> >>
> >> 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC,
> blocksize=8,
> >> keydeflen=192
> >>
> >> 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC,
> blocksize=16,
> >> keydeflen=128
> >>
> >> 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
> >>
> >> 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
> >>
> >> 000 algorithm IKE dh group: id=2,
> name=OAKLEY_GROUP_MODP1024, bits=1024
> >>
> >> 000 algorithm IKE dh group: id=5,
> name=OAKLEY_GROUP_MODP1536, bits=1536
> >>
> >> 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048,
> bits=2048
> >>
> >> 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072,
> bits=3072
> >>
> >> 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096,
> bits=4096
> >>
> >> 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144,
> bits=6144
> >>
> >> 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192,
> bits=8192
> >>
> >> 000
> >>
> >> 000 stats db_ops.c: {curr_cnt, total_cnt, maxsz}
> :context={0,3,36}
> >> trans={0,3,72} attrs={0,3,48}
> >>
> >> 000
> >>
> >> 000 "innov2demain": 1.2.3.4...8199.98.97.96===192.168.254.0/24;
> >> prospective erouted; eroute owner: #0
> >>
> >> 000 "innov2demain": srcip=unset; dstip=unset;
> srcup=ipsec _updown;
> >> dstup=ipsec _updown;
> >>
> >> 000 "innov2demain": ike_life: 1800s; ipsec_life: 28800s;
> >> rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
> >>
> >> 000 "innov2demain": policy:
> PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP;
> >> prio: 32,24; interface: eth0;
> >>
> >> 000 "innov2demain": newest ISAKMP SA: #0; newest IPsec SA: #0;
> >>
> >> 000 "innov2demain": ESP algorithms wanted: 3_000-1, 3_000-2,
> >> flags=strict
> >>
> >> 000 "innov2demain": ESP algorithms loaded: 3_000-1, 3_000-2,
> >> flags=strict
> >>
> >> 000
> >>
> >> 000 #41: "innov2demain":500 STATE_MAIN_I1 (sent MI1,
> expecting MR1);
> >> EVENT_RETRANSMIT in 2s; nodpd
> >>
> >> 000 #41: pending Phase 2 for "innov2demain" replacing #0
> >>
> >> 000 #41: pending Phase 2 for "innov2demain" replacing #0
> >>
> >> 000 #41: pending Phase 2 for "innov2demain" replacing #0
> >>
> >> 000
> >>
> >>
> >>
> >> root at ks2228:/proc/sys/net/ipv4/conf# tail -n 1000
> /var/log/syslog | grep
> >> -i ipsec
> >>
> >> Aug 26 08:01:16 ks2228 ipsec_setup: ...Openswan IPsec stopped
> >>
> >> Aug 26 08:01:16 ks2228 ipsec_setup: Stopping Openswan IPsec...
> >>
> >> Aug 26 08:01:24 ks2228 ipsec_setup: KLIPS ipsec0 on eth0
> >> 1.2.3.4/255.255.255.0 broadcast 1.2.3.255
> >>
> >> Aug 26 08:01:24 ks2228 ipsec_setup: ...Openswan IPsec started
> >>
> >> Aug 26 08:01:24 ks2228 ipsec_setup: Starting Openswan IPsec
> >> U2.4.6/K2.6.24.2-xxxx-std-ipv4-32...
> >>
> >> Aug 26 08:01:25 ks2228 ipsec__plutorun: 104 "innov2demain" #1:
> >> STATE_MAIN_I1: initiate
> >>
> >> Aug 26 08:01:25 ks2228 ipsec__plutorun: ...could not start conn
> >> "innov2demain"
> >>
> >>
> >>
> >> root at ks2228:~# tail -n 100000 /var/log/auth.log | grep -i pluto
> >>
> >> Aug 26 08:01:15 ks2228 pluto[22836]: shutting down
> >>
> >> Aug 26 08:01:15 ks2228 pluto[22836]: forgetting secrets
> >>
> >> Aug 26 08:01:15 ks2228 pluto[22836]: "innov2demain": deleting
> connection
> >>
> >> Aug 26 08:01:15 ks2228 pluto[22836]: "innov2demain" #42:
> deleting
> >> state (STATE_MAIN_I1)
> >>
> >> Aug 26 08:01:15 ks2228 pluto[22836]: shutting down
> interface lo/lo
> >> 127.0.0.1:4500
> >>
> >> Aug 26 08:01:15 ks2228 pluto[22836]: shutting down
> interface lo/lo
> >> 127.0.0.1:500
> >>
> >> Aug 26 08:01:15 ks2228 pluto[22836]: shutting down
> interface eth0/eth0
> >> 1.2.3.4:4500
> >>
> >> Aug 26 08:01:15 ks2228 pluto[22836]: shutting down
> interface eth0/eth0
> >> 1.2.3.4:500
> >>
> >> Aug 26 08:01:24 ks2228 ipsec__plutorun: Starting Pluto
> subsystem...
> >>
> >> Aug 26 08:01:24 ks2228 pluto[27748]: Starting Pluto
> (Openswan Version
> >> 2.4.6 X.509-1.5.4 LDAP_V3 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR;
> >> Vendor ID OElLO]RdWNRD)
> >>
> >> Aug 26 08:01:24 ks2228 pluto[27748]: Setting
> NAT-Traversal port-4500
> >> floating to on
> >>
> >> Aug 26 08:01:24 ks2228 pluto[27748]: port floating activation
> >> criteria nat_t=1/port_fload=1
> >>
> >> Aug 26 08:01:24 ks2228 pluto[27748]: including
> NAT-Traversal patch
> >> (Version 0.6c)
> >>
> >> Aug 26 08:01:24 ks2228 pluto[27748]: WARNING: Open of
> /dev/hw_random
> >> failed in init_rnd_pool(), trying alternate sources of random
> >>
> >> Aug 26 08:01:24 ks2228 pluto[27748]: WARNING: Using
> /dev/urandom as
> >> the source of random
> >>
> >> Aug 26 08:01:24 ks2228 pluto[27748]: ike_alg_register_enc():
> >> Activating OAKLEY_AES_CBC: Ok (ret=0)
> >>
> >> Aug 26 08:01:24 ks2228 pluto[27748]: starting up 1 cryptographic
> helpers
> >>
> >> Aug 26 08:01:24 ks2228 pluto[27764]: WARNING: Open of
> /dev/hw_random
> >> failed in init_rnd_pool(), trying alternate sources of random
> >>
> >> Aug 26 08:01:24 ks2228 pluto[27764]: WARNING: Using
> /dev/urandom as
> >> the source of random
> >>
> >> Aug 26 08:01:24 ks2228 pluto[27748]: started helper
> pid=27764 (fd:6)
> >>
> >> Aug 26 08:01:24 ks2228 pluto[27748]: Using Linux 2.6
> IPsec interface
> >> code on 2.6.24.2-xxxx-std-ipv4-32
> >>
> >> Aug 26 08:01:25 ks2228 pluto[27748]: Changing to directory
> >> '/etc/ipsec.d/cacerts'
> >>
> >> Aug 26 08:01:25 ks2228 pluto[27748]: Changing to directory
> >> '/etc/ipsec.d/aacerts'
> >>
> >> Aug 26 08:01:25 ks2228 pluto[27748]: Changing to directory
> >> '/etc/ipsec.d/ocspcerts'
> >>
> >> Aug 26 08:01:25 ks2228 pluto[27748]: Changing to directory
> >> '/etc/ipsec.d/crls'
> >>
> >> Aug 26 08:01:25 ks2228 pluto[27748]: Warning: empty directory
> >>
> >> Aug 26 08:01:25 ks2228 pluto[27748]: added connection
> description
> >> "innov2demain"
> >>
> >> Aug 26 08:01:25 ks2228 pluto[27748]: listening for IKE messages
> >>
> >> Aug 26 08:01:25 ks2228 pluto[27748]: adding interface eth0/eth0
> >> 1.2.3.4:500
> >>
> >> Aug 26 08:01:25 ks2228 pluto[27748]: adding interface eth0/eth0
> >> 1.2.3.4:4500
> >>
> >> Aug 26 08:01:25 ks2228 pluto[27748]: adding interface lo/lo
> > 127.0.0.1:500
> >> Aug 26 08:01:25 ks2228 pluto[27748]: adding interface lo/lo
> > 127.0.0.1:4500
> >> Aug 26 08:01:25 ks2228 pluto[27748]: loading secrets from
> >> "/etc/ipsec.secrets"
> >>
> >> Aug 26 08:01:25 ks2228 pluto[27748]: "innov2demain" #1:
> initiating
> >> Main Mode
> >>
> >>
> >>
> >>
> >>
> >> I probably missed something around 3DES, SHA1 and the
> likes but I can't
> >> figure out what's wrong ...
> >>
> >> Any clue ??
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> --------------------------------------------------------------
> ----------
> >>
> >> _______________________________________________
> >> Users at openswan.org
> >> http://lists.openswan.org/mailman/listinfo/users
> >> Building and Integrating Virtual Private Networks with Openswan:
> >>
> http://www.amazon.com/gp/product/1904811256/104-3099591-294632
> 7?n=283155
> >
> >
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-294632
> 7?n=283155
>
More information about the Users
mailing list